Talos Vulnerability Report

TALOS-2016-0243

Artifex MuPDf JBIG2 Parser Code Execution Vulnerability

May 15, 2017

CVE Number

CVE-2016-8729

Summary

An exploitable memory corruption vulnerability exists in the JBIG2 parser of Artifex MuPDF 1.9. A specially crafted PDF can cause a negative number to be passed to a memset resulting in memory corruption and potential code execution. An attacker can specially craft a PDF and send to the victim to trigger this vulnerability.

Tested Versions

Product URLs

CVSSv3 Score

CWE

CWE-122: Heap-based Buffer Overflow

Details

MuPDF is a lightweight PDF, XPS, and E-Book viewer that has packages available for Windows as well as Android, iPad, and iPhone.

During the parsing of a JBIG2 image embedded in a PDF, each image segment is handled based on the flags for that particular segment. Segments with flags 38 or 39 are handled by calling jbig2_immediate_generic_region on the current segment [0].

After extracting the width and height from the segment, jbig2_image_new is called [3]. A stride value is calculated from the width and subsequently checked to ensure a multiplication overflow won't occur [4]. Assuming this check is passed, the resulting stride value is stored in an image object and returned.

If the MMR flag is set in the image segment flags, then the resulting image is passed to jbig2_decode_generic_mmr. During this decoding, the stride value is used directly as the size value in a memset [6].

Using the calculation of stride = ((width - 1) >> 3) + 1;, a negative value for stride can be achieved. Passing this negative value to memset results in a buffer overflow condition that could possibly be leveraged to gain code execution.